Securing Your AWS Infrastructure with VPCs and Security Groups
For businesses operating in the cloud, ensuring network security is necessary. One effective strategy for enhancing security within your AWS environment is through network segmentation using AWS Virtual Private Clouds (VPCs) and Security Groups.
This blog post will delve into the best practices for creating logically isolated virtual networks with VPCs and controlling network traffic flow with Security Groups, helping you bolster your AWS security posture.
Understanding AWS VPCs and Security Groups
AWS VPC (Virtual Private Cloud) allows you to launch AWS resources in a logically isolated virtual network. You have full control over your virtual networking environment, including the selection of IP address ranges, creation of subnets, and configuration of route tables and network gateways. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
Security Groups control the traffic that is allowed to reach and leave the resources that it is associated with. For example, after you associate a security group with an EC2 instance, it controls the inbound and outbound traffic for the instance. They act as virtual firewalls for your instances to control inbound and outbound traffic. You can specify the source, port range, and protocol for each inbound rule. You can specify the destination, port range, and protocol for each outbound rule. By default, Security Groups allow no inbound traffic and allow all outbound traffic, which you can modify to fit your security requirements.
Best Practices for Network Segmentation with AWS VPCs
1. Design a Comprehensive VPC Architecture
Start with a clear plan: Map out your network architecture before implementation. Define your IP address ranges, subnet allocation, and the relationships between different subnets and VPCs.
The resources in your VPC communicate with each other and with resources over the internet using IP addresses. When you create VPCs and subnets, you can select their IP address ranges. When you deploy resources in a subnet, such as EC2 instances, they receive IP addresses from the IP address range of the subnet.
Plan to divide each VPC into subnets based on your connectivity requirements. For example:
-
If you have web servers that will receive traffic from clients on the internet, create a subnet for these servers in each Availability Zone.
-
If you also have servers that will receive traffic only from other servers in the VPC, create a separate subnet for these servers in each Availability Zone.
-
If you have servers that will receive traffic only through a VPN connection to your network, create a separate subnet for these servers in each Availability Zone.
Use multiple VPCs for different environments: Separate your development, testing, and production environments into different VPCs to minimize the impact of security incidents.
For a development or test environment, you might choose to save money by deploying your resources in only one Availability Zone.
For a production environment, we recommend that you select at least two Availability Zones and deploy your AWS resources evenly in each active Availability Zone.
2. Implement Subnet Isolation
Public and private subnets: Place resources that need direct internet access in public subnets and those that do not in private subnets. If your application will receive traffic from the internet, the VPC must have an internet gateway. Attaching an internet gateway to a VPC does not automatically make your instances accessible from the internet. In addition to attaching the internet gateway, you must update the subnet route table with a route to the internet gateway. You must also ensure that the instances have public IP addresses and an associated security group that allows traffic from the internet over specific ports and protocols required by your application.
Use Network Address Translation (NAT) gateways to allow instances in a private subnet to access the internet (for example, to download updates) without allowing unsolicited inbound connections from the internet. To do that, add a public NAT gateway in each active Availability Zone and update the route table to send internet traffic to the NAT gateway.
Tiered subnets: Organize your subnets based on application tiers (e.g., web, application, database) and enforce strict access controls between them. Define network connectivity and restrictions between your web servers, application servers, and databases.
Having 3 zones gives you high availability and redundancy, which ensures your application’s availability should an outage or other unexpected circumstance occur. Your application would not be affected because traffic would flow to the other 2 availability zones.
To split a network into 3 tiers and across 3 availability zones, you’d have the following 9 subnets:
-
Public Layer: 3 public subnets, one on each Availability Zone
-
Application Layer: 3 private subnets, one on each Availability Zone
-
Database Layer: 3 private subnets, one on each Availability Zone
3. Leverage VPC Peering and Transit Gateways
VPC Peering: A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. The VPCs can be in different Regions (also known as an inter-Region VPC peering connection). Ensure that routing tables and security groups are correctly configured to enforce least-privilege access.
Transit Gateways: For complex multi-VPC architectures, consider using AWS Transit Gateway, which acts as a central hub, to route traffic between your VPCs, VPN connections, and AWS Direct Connect connections.
One of the key benefits of using a transit gateway is the ability to centralize and simplify the management of connectivity between your VPCs and on-premises networks. Rather than configuring multiple VPN connections or Direct Connect links, you can leverage the transit gateway as a single point of integration, which can help reduce the overall complexity and operational overhead of your network architecture. In short, it simplifies your network topology and improves manageability.
Best Practices for Using Security Groups
1. Principle of Least Privilege
Minimize permissions: Ensure security groups grant the least privilege necessary. Only allow the minimum required traffic to and from your instances. For example, if a web server only needs to receive HTTP and HTTPS traffic, restrict the inbound rules to ports 80 and 443.
​
Restrict outbound traffic: By default, Security Groups allow all outbound traffic. Review and restrict outbound rules to reduce potential data exfiltration risks. Specify only required IPs and ports.
2. Layered Security with Multiple Security Groups
Use multiple Security Groups: When a stack is launched, it's associated with one or more security groups, which determine what traffic is allowed to reach it:
-
For stacks in your public subnets, the default security groups accept traffic from HTTP (80) and HTTPS (443) from all locations (the internet). The stacks also accept internal SSH and RDP traffic from your corporate network, and AWS bastions. Those stacks can then egress through any port to the Internet. They can also egress to your private subnets and other stacks in your public subnet.
-
Stacks in your private subnets can egress to any other stack in your private subnet, and instances within a stack can fully communicate over any protocol with each other.
In a nutshell, assign multiple Security Groups to an instance to apply layered security controls. For example, one Security Group can handle SSH access, another can handle HTTP/HTTPS, and yet another can handle database access.
​
Reference Security Groups: Use Security Group IDs as sources or destinations in other Security Group rules instead of IP addresses to create logical groupings of permissions. This practice simplifies management and enhances clarity.
3. Regular Audits and Updates
Periodic reviews: Regularly review and update your Security Group rules to ensure they align with current security policies and requirements. It includes inventory groups, reviewing inbound/outbound rules, verifying IPs, checking port access, using tagging/documentation, planning/testing changes and monitoring alerts using AWS CloudWatch. This ensures minimal exposure and adherence to security policies.
Automate audits: Utilize AWS Config rules and AWS Security Hub to continuously monitor Security Group configurations and compliance status, identifying and addressing potential vulnerabilities.
Conclusion
Network segmentation with AWS VPCs and Security Groups is a powerful strategy to enhance security within your AWS environment. By following best practices such as designing a comprehensive VPC architecture, implementing subnet isolation, leveraging VPC peering and transit gateways, adhering to the principle of least privilege, and regularly auditing your Security Group rules, you can create a secure, manageable, and scalable cloud infrastructure.
​
Embrace these practices to safeguard your AWS resources and ensure robust protection against potential threats.
Keep Up with Our Most Recent Releases
Get exclusive access to our high-quality blog posts and newsletters that are only available to our subscribers.